Condition
Management

In
this section:

About
Conditions

Conditions are used to create rules which enable actions to be executed
based on who, where from or how a user is connecting to a computer or
application. Conditions based on Directory Membership, User, Computer,
Session and Client can be used to create a configuration which can define
computer usage throughout an organization.

They are the bridge between triggers and actions to provide context
for applying the action. For example:

Trigger

Condition

Action

User > Logon

User > User Name

Map Drive

The action is to map a drive when a user logs on. The condition allows
a user to be specified so the drive is mapped only for that particular
user. Without the condition, the drive would be mapped for all users at
logon.

Actions can be set to execute when the criteria within the condition
is true or false for the user or their computer. For example, a condition
can be created which applies the associated actions to a specified computer
or the actions could be set to execute for any computer other than that
specified. Regular expressions
and ranges can also be used to create advanced conditions which apply
to multiple matches.

Simple regular expressions can be used such as entering [abc]
will match anything which includes any of the characters within the brackets.
More complex queries can also be used, for example, ^[a-f]+
will match any user name which begins with a letter from a
to f.

The positioning of a condition within the Policy Configuration navigation
tree determines how it is applied. Conditions at the same level within
in the tree are evaluated simultaneously. A condition which is a child
of another condition, will only evaluate once the parent condition has
been successfully executed. All conditions, with the exception of Counter,
can also be added to the Environment tab in most triggers.

For any condition which queries the Active Directory,
the Environment Manager administrator must be a member of the target domain
or have sufficient permissions to access and query the domain.

Create
a Condition

This section applies to creating Directory
Membership, User, Computer and Session
& Client conditions only as the dialog boxes these conditions
use follow the same format.

In the Policy Configuration
navigation tree, select a node or create a new node within the trigger
you want to apply the condition to.

The condition can be added directly to the trigger
in the Environment tab.

In the Conditions ribbon,
select the required condition.

The condition tab, specific to the condition type
displays by default. This tab allows the parameters to be set using a
common group of options and fields. See Condition
Variables for further details.

Define the condition
using the available fields and checkboxes.

Select the General
tab.

Enter a description
and any optional notes. The description is used as the display name for
conditions. If this field is left blank the display name is automatically
set from the configured condition.

Click OK
to save the condition.

The Environment Manager agent uses the condition
to find a match with the same criteria for a logged on user. If a match
is found, any actions attached to the condition are executed.

Once created you can prevent a failed action from
continuing to execute any dependent sub nodes by selecting the Stop
sub node on fail check box in the node work area. By default, Stop sub node on fail is enabled
for new conditions.

Condition
Variables

Each type of condition can be specified using variations of the following
fields, drop-downs and checkboxes:

Equal
- A comparison is made against the contents of the Match
field to target the users or computers which fulfill those criteria. Enter
the criteria into the Match field
or use the ellipsis (...) to search
or select as required.

Not
Equal - Targets all users or computers which do not fulfill the
criteria in the Match field. Enter
the criteria in the Match field
or use the ellipsis to search or select as required.

Query
- Targets all users or computers which match the criteria specified in
the Query field. Using wildcards
in the query allows a wide range of matches, for example:

Between
- Used for conditions where a range of values can be set. For example,
a condition could be created to apply to a selected range of IP addresses.

Evaluate
once per session - When selected, a condition is evaluated and
the result is cached. If the condition is run again, the result is obtained
from the cache rather than evaluating the condition again. If you want
multiple instances of the same condition to evaluate only once, a reusable
condition must be created and referenced multiple times. If you create
multiple conditions, they will each be run one. If a reusable node is
referenced multiple times, evaluation only occurs once in the session.

This option is not available for conditions within
Process Start and Process
Stop triggers.

The behavior surrounding this option changed in 8.1. Prior to 8.1 the option
was evaluated when the configuration was parsed and cached for the session.
In 8.1 and later versions, the option is not evaluated until the trigger
is fired when the result is cached for the whole session.

For example, a Process
Start condition is created for calc.exe with the Evaluate
once per session checkbox selected. In 8.0 the result would be
cached for the session when the configuration is parsed at logon. In 8.x
the result is not cached until calc.exe is run.

The simple configuration below maps Printer 1 at logon for Endpoint
1. During logon, the Environment Manager agent checks the managed computer
against that specified in the condition; Endpoint 1. If the condition
is met, the action to map the printer to Printer 1 runs. If the managed
computer is anything other than Endpoint 1, the action is ignored.

In the Environment Manager console, the example would be as follows:

Adding a further condition at the same level creates an OR condition.
This configuration maps Printer 1 at logon for Endpoint 1 OR Endpoint
5. If the computer is one of those specified, the action to map the printer
to Printer 1 runs. If the managed computer is anything other than Endpoint
1 or Endpoint 5, the action is ignored.

If a condition is a child of another, an AND condition is created. A
condition which checks if the user is an administrator has been added
as a child of another condition. By adding this, the action will run for
the computers specified AND the user is an administrator.

AND and OR statements can be combined to create
AND OR conditions. This configuration maps Printer 1 at logon for Endpoint
1 OR Endpoint 5 for users which have administrator rights.

There is no limit to the number of conditions you can add to AND and OR conditions or the number of AND OR conditions
that can be used.

The AND OR labels and the item background colors can be turned on and off
in the Options
Ribbon.

Field
Validation

The table below lists the strings which are acceptable in the fields
of the various conditions.

Condition

Field

Allowed String

Example

User Group

Match

domain\group

appsense/sales
matches the group ’sales’ in the ’appsesnse’ domain.

LDAP

CN=sales, DC=appsense,
DC=com matches the ’sales’ group in the appsense.com domain.

Query

domain\gro*

appsense\sal*
matches group names starting with "sal" in the appsense
domain.

domain\*gro

appsense\*les
matches group names ending with "les" in the appsense
domain.

domain\*gro*

appsense\*ale*
matches group names containing "ale" in the appsense
domain.

User Name

Match

domain\user

appsense\smithj
matches the user name "smithj" in the appsense domain

Query

domain\use*

appsense\smit*
matches group names starting with "smit", in the appsense
domain.

domain\*use

appsense\*ith
matches group names ending with "ith", in the appsense
domain.

domain\*use*

appsense\*ith*
matches group names containing "ith", in the appsense
domain.

Computer Group

Match

domain\group

appsense/sales matches the group ’sales’ in the
’appsesnse’ domain.

LDAP

CN=sales, DC=appsense,
DC=com matches the ’sales’ group in the appsense.com domain.

Query

domain\gro*

appsense\sal*
matches group names starting with "sal" in the appsense
domain.

domain\*gro

appsense\*les
matches group names ending with "les" in the appsense
domain.

domain\*gro*

appsense\*ale*
matches group names containing "ale" in the appsense
domain.

Active Directory Based Conditions for Devices in Child Domains

Active Directory (AD) based client conditions convert the NetBIOS name of the client, obtained from Windows Terminal Server (or Citrix equivalent), to a FQDN used to query AD. The FDQN cannot be resolved if the terminal server is in the parent domain and is trying to resolve the FQDN of a connecting device in a child domain. This impacts Device and Custom rules, with Active Directory based client conditions, that are applied to terminal servers and VDIs in a root domain.

The terminal server must be configured with the DNS suffix of all child domains. The search list must be configured on all terminal servers wanting to resolve names for connecting in child domains.

For example, for the parent domain.local, the child domains, childa.domain.local and childb.domain.local, must be configured on the terminal server in order for AD based conditions to evaluate correctly.